The Heartbleed bug affects millions using the internet

| 15 April 2014

They are calling it catastrophic and apocalyptic. Some cyber security analysts have even suggested that the internet should be switched off for a short period to fix the issue.

The internet is experiencing one its biggest security threats in history. It has sparked fear and panic among millions of internet users and owners of websites around the world. It has been dubbed the Heartbleed bug, and on a danger scale between one and ten, many security experts have graded it as a ten.

The bug was discovered just over a week ago by one of the engineers at the Finnish cyber security company Codenomicon, who quickly coined the name Heartbleed after one of the extension within the security code.

Without getting too technical, the bug itself is found in the OpenSSL software, an open source cryptographic code written for the SSL and TLS security protocols. The SSL/TLS is a security protocol that basically facilitates a secure communication between a server and a website.

Typically when a user accesses a website, email, or purchases something on the web, this digital secure exchange happens in the background without us even knowing it. So when you use a browser for example and log into your email, the server exchanges encrypted keys between the browser and the server to allow you access.

The vulnerability of this code uses a weakness in the memory handling, and allows a hacker to eavesdrop on that exchange via either the server or the user computer, and steal sensitive information like passwords. Hackers can even impersonate users and services, which is what makes this bug so dangerous.

How many sites are affected? It is difficult to tell, but when the Heartbleed exploit was discovered it was estimated that around two thirds or around 500 000 of the internet’s servers around the world were vulnerable to hackers and an attack. The servers that are compromised could be hosting government sites, blogs, e-commerce sites, and even large organisations. The scale is enormous, so when security experts say that it could be catastrophic, one can understand the severity of their concerns.

“This bug has the ability to create massive problems unless these servers using the OpenSSL software are patched” according to Mikko Hyppönen from the F-Secure corporation in Finland.

“Millions of passwords, credit card numbers, and highly sensitive information are at risk with this bug,” added Hyppönen.

Companies like Google and Yahoo have already applied the patch, but there are still thousands of vulnerable machines that have not been updated, and this is where the risk is very high. Hackers merely have to wait until the opportune moment to hack into vulnerable servers and steal sensitive data, or use the data that has already been stolen.

Users have been urged to change all passwords, and owners of servers have been instructed to apply the patch that fixes this vulnerability in the OpenSSL code.

What the Heartbleed bug has highlighted, is how vulnerable we actually are in this connected world we live in. We have a great deal of trust in websites that hold a huge amount of our personal information. What remains to be seen is what impact this will have, and how much sensitive information has already been stolen.